Coming in January: ‘Month of Apple Bugs’

A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple’s OS X or in Apple applications that run on top of it. The ‘Month of Apple Bugs’ project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias ‘LMH’. This is the same researcher who in November ran the ‘Month of Kernel Bugs’ project. LMH’s partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said.

About The Author

45 Comments

I’m having trouble seeing value in this “project”. Is the point to demonstrate that Apple products have security vulnerabilities? We already know they do. Is the point to show that Apple doesn’t patch them? We already know they’re not entirely up to date on this. Is the point to try and make Apple step up a gear in security? Maybe.

In the end, the means I don’t believe justify the end. Why should innocent end users be potentially exposed to risks just because one individual feels the need to take an entire month to drag out releasing these problems, particular when Apple are not being given prior notice?

It’s not like these things just fall on your lap ready for projects like these. They take time and research. By the time the final one is obtained to total the number of days for the month, how long was the first one sitting with the project organiser? Isn’t this exposing people to risks by keeping them to one’s self? Doesn’t this action in itself constitute a lack of concern for security?

I wonder how much will be “earnt” through website ads as people visit each day to see what’s next?

This smells of grand standing and ego power tripping. If one is seriously interested in improving the security of a product there are far more prudent methods.

Or is the Mighty Microsoft Marketing Machine throwing some dollars around to try to help out Vista? I just find the timing of this “project” – to coincide with the public release of Vista – very interesting.

And I agree 100% with the view that by not providing Apple with prior notice this is just a moronic stunt that puts end users at potentially serious risk.

Good on you idiot – may the bugs of a thousand Windows infest your PC…

Ad-revenue? Meh, at best it’ll pay for the bandwidth. If they wanted to make money, they could use any of these 30/1 exploits, put together the first effective Mac malware and sell it underground / use it to pharm.

Well the point is to educate people who think the bugs patched are the only ones.More likely every piece of software has bugs,flaws and vulnerabillities.

Patching is nice but not enough.It’s running behind the facts all the time.More important are the roles of advanced security mechanisms such as SELinux,Grsec,RSBAC and the like to mitigate the effect of a potential exploit.

I guess it’d depend on whom you’re trying to educate. If it’s the end user, then it’s a really selfish way about it as you’re exposing them to potential risks. If it’s the vendor, like I said there are other ways to go about it. In this instance Apple isn’t getting any notice prior.

*Everyone* ought to be **hating** these people. Bringing a bug to light without notifying the manufacturer puts everyone *using* the system at risk. It costs Apple itself nothing, it costs users their security.

I’m my mind, this is tantamount to hacking, and I can’t see any value of it other than ego.

Have you guys taken a look at the other “month of”. These are great projects to raise security awareness.

Hopefully this will lead apple to actually have a patch cycle. Often security holes will go as long as or longer than MS’s. With no cycle, how can mac admin expect to implement an effective update strategy?

And I can see the huge difference in Windows’ and MacOS’ relative security. Why can’t you?

Does that difference correlate with market share? It’s often been said that if OSX was as popular as Windows, then it would have as many problems. Now we’re seeing (potentially) that those problems are there, they just aren’t being found and/or taken advantage of. Yet.

If OSX has exploitable flaws, but is relying on security through obscurity, then that is a bad thing.

Note how this post drops into passive tense. That is often a good indication that something unverifiable is about to be presented.

“””Now we’re seeing (potentially) that those problems are there, they just aren’t being found and/or taken advantage of. Yet.”””

Yep.

See how he is trying to equate “any security vulnerabilities at all” with the level of vulnerability that Windows “enjoys” today?

Why did you spend so much time doing armchair psycho-analysis on my post and then just agree with it? !? Are you just trying to sound like you have a clue, because you really just come across as a wanker.

Let me go a little slower, so you can keep up.

1) Apple market share is on the rise. That is verifiable.

2) Bugs and flaws are *being found* OSX are on the rise. That is also verifiable.

At no point did I equate the number of flaws in Windows to the number of flaws in OSX. My assertion is simply that the bugs in OSX were always there (as is the case with any sufficiently complex piece of software) and are being *found* at a greater rate due to the increased marketshare. Pretty much what Windows fanboys claim.

OSX fanboys, on the other hand, claim (present tense, just for you) that the low number of security flaws are based solely on the superior software from Apple, which doesn’t seem to be the case.

I expect that as (if?) OSX marketshare increases, that the number of discovered flaws will also increase, at a roughly similar rate (future tense).

What does that mean? Well, if the correlation holds true, then it means the Windows fanboys were right and the OSX fanboys were wrong. And that, I imagine, annoys the OSX fanboys immensely.

The next few years will be interesting.

—

Fixed a small typo. I don’t want to get psycho-analyzed on my spelling.

“Feel free to feel pissed off, I think this is a fair reaction to the BS marketing employed by Apple about how windows has a million viruses, while Apple has none.

While you recognize the Apple has its own share of security issues, most Apple fanboys do not. They still consider Apple to be somehow magically secure.”

I am sorry but i don’t think that you can deny the fact that OS X is virus free. Do you deny that? That’s a matter of fact so far. Of course i would agree if you say that it may change, nobody knows!

Now, what the point to say that it is a BS marketing? What Apple says is true, it is true, there is no virus on OS X, again you can’t deny it yourself.

Also i really don’t think that all mac users think that their OS is 100% sure. I mean there is a very few people who really think so. I guess that this image of mac users being not aware of security come from the fact that people think that mac users are saying that OS X is bulley proof, a 100% percent secure OS. That’t not true, mac users are saying that OS X is more secure, again this has not the same meaning as to say that OS X is 100% secure. Being more secure does not imply to be 100% secure.

A lot of people like to change what is really about to use it as trolling arguments. You will really find a few mac users saying that OS X is an absolute secure OS, what they say is that it is more secure than Windows. And it is true, whatever the reason you put behind this matter of fact, this is true!!!!

Well, why it is more secure? Smaller market share? Maybe, it could be one of the reasons.

It is difficult to create virus on mac? Well it is also true. Remember the story of this concept of malware on OS X, Macarena, a few months ago.

The source code of the virus has been distibuted, so we could read things lie this:

“However, in the source code, Ducklin said the author had expressed what appears to be frustration at trying to make the virus effective on Apple’s platform.

Ducklin said: “In the source code, which is a mishmash of stuff, there is a comment where the author says ‘so many problems for so little code’. So it does look as though virus writers, fortunately, still have a way to go before they are able to write Mac viruses with the proficiency and fluidity that they can for Windows.

“It doesn’t have any of the characteristics of a modern effective or dangerous Windows worm or Trojan, it is a simple appending parasitic infector.”

He also revealed Macarena will only affect Intel-based Macs: “This is an Intel specific thing – not Power PC.”

However, Ducklin warned the Apple community not to be complacent because although writing malware for the Mac is more difficult than it is for Windows, the users’ common sense can be a weak point.

”

This story seems to show us that OS X is more secure (notice again, i said more secure) when it comes to virus, this is a perfect real situation diffcult to deny.

Of course more secure does not mean that OS X does not have any code flaws, any software as complex as OS X has holes. Finding holes can only make the software more secure as long as the software editor makes a good job at fixing them. Here Apple is also making rather good job comparing to Microsoft, just compare the nunber of unpatched flaws in Apple software compared to Microsoft at the secunia web site. 9 unpatched flaws in OS X compared to 29 in WinXp pro. Any reasonnable person will conclude that OS is more secure.

That’s just good sense, again i don’t say 100% secure (it is obvouisly not if i look at the secunia numbers) but it is more secure. Less known unpatched flaws makes a given software more secure than another software which has more known unpatched flaws. This is just logical!!!!

So again i really don’t think that mac users has saying that OS X is absolutly secure, but they do say that it is more secure, and so far it seems to be true.

Perhaps it might be a bit of a wakeup call for those who are blindly advocating “switch to OS X” as a cure-all for contemporary security problems. Not that a wakeup call should be needed for a suggestion that amounts to “Hey, the boat is leaning dangerously to port – let’s everyone run over to the starboard side instead, that will fix it.”

“Or is the Mighty Microsoft Marketing Machine throwing some dollars around to try to help out Vista? I just find the timing of this “project” – to coincide with the public release of Vista – very interesting. ”

Not interesting, just lame and trolling. A good start is to read the article, where they reason for their project. I think its great. If the same project was for windows – you would think so too.

Not interesting, just lame and trolling. A good start is to read the article, where they reason for their project. I think its great. If the same project was for windows – you would think so too.

He’s trolling, I agree. But I also think that not giving advice of the bugs to the vendor is a weird idea. I mean, the goal of the project is to expose some bugs so they can eventually be fixed. Exposing them before Apples fixes them or, at least, finds a workaround is just a nonsense.

“Oh, great, this guy is saying on the web that you can hack any Mac with just a spoon and a piece of chalk.”

I don’t really thing that such action is anything else than attracting the media attention to some bunch of incompetent security researchers!!

Why do i say that? Well i am sorry but this ‘LMH’ is just a big lier, who only knows spreading fuds around mac security for his own benefit.

I mean saying that you found a security bug in a software is rather easy to do, prove that your claim is correct is another story. And this is where ‘LMH’ is incompetent, or maybe i could also say a lier.

Remember the ‘Months of kernel bug’. ‘LMH’ came very exited (to the point where he was near to make a hole in his pan) to the media to say them he found a security bug in OS X that could trigger a remote attack. This security bug was related to disk images, and ‘LMH’ made the statement that a corrupted disk image could trigger a remote attack , a memory corruption, or whatever else an attacker could do remotely.

The point is that the only thing that ‘LMH’ discovered was that a disk image corrupted in a certain way could kernel panic OS X and from this, he conluded that triggering a kernel panic equals to a security bug. However he did not bother to verify wether indeed such bug could really trigger a remote attack.

Being so incompetent or just a lier, someone else bothered to check wether or not this bug was really a security bug or just a bug that the only thing that it can do to the user is crashing his/her computer.

Alastair did go through a detailed analysis of the bug described by ‘LMH’ and concluded this:

”

So, what have we learned:

– It is not a memory overwrite bug.

– It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.

– It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.

So now why should i/we believe anything coming fron this guy? Because this is the problem, how can we believe so-called security researchers when they lie to us for their own benefit?

And the other problem is that a lot of them get so exited because they found a bug in OS X (media love such guys) to the point where they do not bother any more to check if what they discovered is really what they think it is.

In the case of ‘LMH’, its a lie, that’s how i call it. Saying that he discovered a security bug when he did not even check wether it was really the case or not, is a lie.

In conclusion, what is the credibility of this guy for this ‘Months of Apple bugs’? I would be glad that some people wish to improve the security of a given software. But it is really the aim here, or is it just fud, …….plain fud? This guy already lied, why won’t he do it again?

So for me what he says now is just a plain media attraction procedure (manipulated by a third party or not), in other words ……. bullshit!!!!

When Alastair wrote his article to explian the disk image bug and to prove that what ‘LMH’ said was wrong, i submitted the news related to the Alastair4 article to osnews but it did not get publised. What i want to say is that people believe easily wrong information but which sounds exiting. When it comes to say the truth, well that’s another story, its a much more difficult task to spread it.

How many web sites covered the disk image bug described by ‘LMH’? Plenty of them!!!!

How many of them did cover the Alastair’ article which says the TRUTH?

Well that’s really the rub isn’t it? I mean, it’s like any sort of headline grabbing claim. It doesn’t matter if it’s true or not, because once the damage has been done, the “retraction” will never see the light of day.

What this guy should have done if he wanted to grab headlines was:

1) Find a bunch of security related bugs in OSX

2) Tell Apple and say “I give you a month” or whatever

3) Wait 1 month

4) Publish findings publicly to shame them, including the part about notifying them in advance

Then he would seem responsible, yet would grab even more headlines. This just kind of makes him look like a tool.

Yup – I think that’s what it boils down to. A lot of this can be traced back to the wireless vulns found by Maynor and Cache earlier this year which were denied vociferously by the Apple community. Apple silencing Maynor was the final straw for may grey hats, I guess.

“Apple silencing Maynor was the final straw for may grey hats, I guess.”

Prove it!

This idea of Apple silencing Maynor is not even an official statement from Maynor himself, This came firt from a poor and miserable journalist, Brian Krebs, who is claiming that Maynor told him such thing. So already here be carefull, you don’t know where you are going!!!

And even if Maynor really had such statement, why Apple is saying that Maynor never came to them to describe the bug he was talking about? Why should we believe Maynor and not Apple? I mean Apple is a serious compagny, who can really believe that they sent one of their representatives to say a lie publically?

During the “Months of bug”, a security bug affecting the first generation of airport was discovered and described. When Apple shiped a security pacth for it, the two researches who discovered the issue were granted for their help! That’s how it works, someone finds a bug, he/she lets Apple know about it, Apple thanks him/her.

With Vista coming to mere mortals PC in 1/2007 it pretty much taste like this.

Everybody knows that no OS is bullet proof and so it is with OS X.

I really don’t like that way to first make a hole public and then inform the company… if they even inform them. It doesn’t matter if the affected company is Apple,Mircosoft,IBM or a community like *BSD or Linux.

The only effort of such a behavior is getting the users in Danger.

Oh… and the guys behind the project get a lot of attention…. can you say attention whore?

In the end, the means I don’t believe justify the end. Why should innocent end users be potentially exposed to risks just because one individual feels the need to take an entire month to drag out releasing these problems, particular when Apple are not being given prior notice?

I think that this is a useful exercise because it is a simulation of reality. Think of it this way: a hacker wouldn’t think of informing users of a new exploit, and they would be causing harm. This group is simply illustrating that there are potential exploits in a dramatic way.

Why use a dramatic way to inform the public of these exploits? If this project does have a high profile in the media, they informed Apple before hand, and gave Apple an opportunity to patch the software, Apple would end up releasing patches before the release and everyone would go through life saying, “look, no problem because Apple is fixing it promptly.”

But that would be misleading because those patches take time to develop, even when they are receiving priority treatment because they are being actively profiled in the media. This way we can see how long it takes Apple to fix things when they are under the gun. We can only assume that fixes would take longer to come out when there is less pressure from projects such as this one.

In other words, by doing things in this way we get a more accurate and first hand impression of how secure Mac OS X really is.

I think this is a flawed method because the very people who are meant to be somehow protected by giving Apple a ‘dramatic’ demonstration so they move quicker, are the very people who will suffer.

As for pressure, I’ll agree that pressure may cause a vendor to move quicker, but in this instance they have no choice but to sit back to wait and see what’s released publically.

If one is really set on releasing the exploit publically if Apple chooses not to act, then an more appropriate method in my mind would be to give Apple all the technical information as well as a month to correct a flaw making sure they’re aware of the deadline. That way there’s pressure, sufficient prior notice and known consiquences.

In my view however, one cannot be serious about protecting a user’s security on a platform if they’re prepared to allow an vulnerability to go freely into the hands of the very people who will exploit it.

How do you know these vulnerabilities are new? Stuff gets “rediscovered” all the time. Look at the MoBB stuff. HD Moore said he got emails from hackers out there giving him shit for releasing to the public something they had been using to exploit systems.

This must be the opening shot for the year of useless wastes of oxygen. We will have some total tools wasting their space on earth and what few gifts they have on the lamest projects in the most destructive way imaginable every month.

Well, as fun as it might be to see Apple get a little egg on their face over the matter, still I have to generally concur with the general feeling on this, ego sounds like a prime motive.

On the larger topic, I’ve been wondering for a while now about the whole legitimacy of “security” and it’s experts in the field of computing. Really, even calling it security (along with all those associated aren’t-I-cool buzz words like zero day exploits and such) is to me a bit of a gimmick to give it a sometimes undeserved legitamacy. Can software be broken by doing bad, unintended things to it? Sure, but so can a car, a vcr, and just about anything else made of mechanical parts. How much of the problem and subsequent need of having security experts are in fact due to the actions and researchs of the so-called experts themselves?

(Yeah, I know, there are folks out there who’ll use some of this stuff to do things like stealing credit card number and such, and now we need to protect against that so we can’t go completely careless. My point remains though about questioning whether the providers of the solution are in fact also, at least in part, the parties responsible for the problem.)

Can software be broken by doing bad, unintended things to it? Sure, but so can a car, a vcr, and just about anything else made of mechanical parts.

Not quite.Would you drive another 1000 miles knowing the hydrolic sytem of your car has a bug (production time error) and may or may not cease to function?

Nobody deliberately caused that bug (broke something).

Now as some other poster said he wondered how soon Apple would respond.The car manufacturer would have to call back the production numbers known to have that potential dangerous flaw.Law suits can be very nasty.

Now doing nothing with the knowledge of those bugs being present is as bad as letting you drive another 1000 miles or more ,doesn’t matter, knowing the hydrolic system (steering,brakes,etc) might collapse.

Those cars are manufactured according to standards of production that are way superior to any software project.

Any software has either a “we are not reposible for any harm caused by our software” line or is terrible expensive.

Yet i don’t know a manufacturer that puts that line on any car.

There’s just an very unhealthy situation of less competition in OS land.

You know, even a legitimate self-respecting hacker wouldn’t pull a stunt like this. This guy either has absolutely nothing up his sleeve or he is in fact trying to damage Apple and their user base, either way he should be shut down. I guess it’s pretty much a moot point since the Apple Henchmen (Attorney’s) are probably knocking on his door right now anyway

What this guy is doing is immoral and you could say he has no ethics. I don’t agree with him in just releasing the bugs without giving Apple any notice but there is no law that says you have to give the manufacturer a notice on security issues. Its more like a rule of thumb, the unwritten rule to notify the company first. While companies probably don’t want to hear about any flaws in their products giving them advanced notice will probably get you on their good side.

I think one of the points that will be made, is Apple is not doing enough already. Sure, it’s nice to fix stuff once other people discover it for you, but…

That’s not a realistic picture as another poster has said. Real crackers don’t disclose stuff to the vendors, so even this project finding bugs and disclosing them is much better than the alternative: a real cracker finding the bugs, selling them underground to highest bidder, and a real malware being developed that hits without any warning.

If two security researchers can find 31 bugs (sure, not all of them might comprimise your computer, but a KP is still a ‘denial of service’ security vulnerability – and it would happen by just visiting a malicious website [if safari is set to open safe files, like it is by default]), then Apple could be finding such things too.

It raises the question, why doesn’t Apple hire a team internally, let’s say 5 people, that would proactively be finding such bugs in their software, so as to make their code more secure. Surely, many bugs would then be fixed pro-actively, rather than re-actively, which will be a much better outcome. Yet, it seems, Apple isn’t doing this (or isn’t doing a good enough job of this).

“Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way,” LMH said.

I somewhat agree with this statement, although as many have posted, I don’t necessarily agree with their methodology.

I’ve personally felt that the issue of user security on OS X is a ticking time bomb. Not that there is necessarily anything flawed with OS X in particular, just that the marketing behind it and the community “enthusiasm” seems intent on perpetuating the belief that using OSX makes you secure. Yes, people on forums like this can scoff and say “Oh, we know that no OS is secure.” but there’s a difference between the more technically inclined that visit forums like this to pipe in, and the home users who were convinced to buy Macs to avoid spyware.

I have two concerns with the perception surrounding security on OSX. The first is the seperation of OS-level security from application level security; a secure OS doesn’t make your apps necessarily more secure, all it can do is minimize the risk and scope of damage. A remote execution flaw in firefox that can allow access to the user’s home directory, as an exaggerated example, is not one that OSX would likely be able to prevent, any more than linux or Win could. Yet I find many mainstream OSX users I come across seem to feel that OSX creates an invulnerability shield that alleviates them of the need to be responsible. Is this Apple’s fault? Not necessarily, though their marketing efforts poking jabs at Windows would certainly help contribute to that impression. The Mac community itself is probably more to blame, with the constant gushing of *unqualified* statements like “OSX is so much more secure than Windows, you don’t need anti-virus or firewalls”

But I wouldn’t hold the OS manufacturer responsible for the actual security of third-party apps, not even Microsoft. The OS manufacturer however is responsible for minimizing the impact of flaws in the OS that can lead to things like privilege escalation exploits etc.

Which brings me to my second concern; admittedly the vast majority of reported flaws in OSX are not of the remote-execution variety, they are generally system level flaws that would require user access to the system. Because of this, I find the OSX community often scoffs and says “Big deal, it’s not a remote exploit. If someone has access to your system there’s no security anyways.” and while that’s certainly true, the problem lies in the combination of OS-level flaws with third-party (or even Apple’s own) application level flaws. That’s how you reach the point where things like maliciously constructed jpg files in a web browser being run by restricted users can still lead to privilege escalation attacks from visiting a website. To me that’s where the real ticking time bomb is.

Apple certainly does security better than Windows does, though I’ll give MS the benefit of the doubt with Vista since I haven’t used it myself yet. But all that means is that OSX is more secure, not *absolutely* secure. Again, for users on this and other forums, that might seem obvious. But for Joe Average who’s research consists of glossy ads and commercials poking fun a Windows, along with unbridled glee from other Mac users, that’s not necessarily the case.

I don’t expect Apple to build a bulletproof OS. I don’t expect anyone to. I do expect a level of responsibility in dealing with security, though, particularly when said manufacturer focuses on the retail/consumer level.

If this “stunt” does anything to shift Apple’s security policies, whether in terms of rolling out regular patches, notifications to customers, or even a campaign along the lines of “How to Practice Safe Computing” I’d be happy with that.

Having said all that, I don’t agree that this is the best way necessarily to handle it. I won’t go so far as to call what these guys are doing unethical, but it’s tacky and it does smack of publicity mongering. Stunts like that can often turn around and bite you in the ass when you least expect it. Just as they can for vendors preaching superior security.

But it should also be a wakeup call that OSX as a platform is drawing more and more attention from vulnerability researchers, which means that it’s only inevitable that it will draw more and more scrutiny from those looking to do real harm.

For the record, to avoid looking like I’m singling out Apple, I would also apply much of what I’ve said to the linux community, and that’s my everyday platform. I find many of the same symptoms of ambivalence within the linux community “Windows sucks, linux is way more secure”, the main difference being that it’s purely the community propogating the myth of absolute security. The linux community has an equal responsibility to their newer or less-experienced users to educate them on aspects of system security and safe computing as a manfuacturer like Apple does for their customers.